Incident handling

2. Assess and resolve the incident

A dedicated Incident Response Team is set up to find the root cause and resolve the incident. Our team of experts in cyber security has deep technical expertise in various fields, and participates in the problem solving as needed, in addition to the experts of the product affected by the incident.

The security professionals on our Security Operations team handle day-to-day security operations including being subject matter experts in incident handling. The team also handles our security systems and frameworks, and provides training and guidance to our product teams in matters related to security.

Visma Group Legal including the local Data Protection Manager (DPM) is always part of the response team for privacy incidents, to ensure that risks are assessed and proper communication is done. Internal and external stakeholders are informed continuously through this process.

To ensure efficient and transparent communication, we set up dedicated chat rooms for the specific incident, involving only the personnel needed.

Mitigating actions are done as needed to ensure we fix the problem and prevent it from happening again. The actions and their timeline are documented in the Incident Report, in addition to the root cause analysis, details describing the incident, and the consequences for any data subjects involved.

Crisis management

If an incident reaches a certain level of significant negative impact, it is classified as a crisis. Impact in this context involves any major negative impact to life and health, financial impact, data protection and more.

Upon a suspected crisis, the crisis management team is mobilised. The crisis management team involves Visma Group Management members as well as related and relevant members of Visma companies involved in the crisis. The crisis management process describes and initiates clear roles, responsibilities and actions to be performed and aims to prevent crisis in high impact incidents, as well as carry out crisis impact assessment, crisis handling and crisis closure.

Filing reports to the local data protection authority

Visma operates in many countries and reports shall be given in the country where the data subjects involved are located. Visma will report incidents if we are the data controller for the personal data. In cases where we are the data processor, we will inform the data controller (our customer) and they will decide if it is necessary to file a report or not. We recommend our customers to follow the guidelines from the EDPB.

How Visma handles privacy incidents

Crisis management

Filing reports to the local data protection authority